Publications
Supply chain attacks are exploiting our assumptions
Supply chain attacks exploit fundamental trust assumptions in modern software development, from typosquatting to compromised build pipelines, while new defensive tools are emerging to make these trust relationships explicit and verifiable.
Don’t recurse on untrusted input
We developed a simple CodeQL query to find denial-of-service (DoS) vulnerabilities in several high-profile Java projects.